Can't logon to admin page *issues w/theme* infected by hackers

[natebc]

Hi,

 

Today when we went to login to the admin page and Can't logon (http://thatsallnatural.com/admino/index.php). We get a blank white page. Dose any one know how we can fix this? 

 

Natebc 

Edited June 29, 2016 by natebc (see edit history)

[El Patron]

enable prestashop debug mode, 'anytime' you get blank page...then you will have some idea possible issue/resolution.

[natebc]

enable prestashop debug mode, 'anytime' you get blank page...then you will have some idea possible issue/resolution.

 

Hi EI Patron,

 

I was able to enable the debug mode.

 

We get this msg (Warning: Cannot modify header information - headers already sent by (output started at /home/thatsallnatural/public_html/tools/mobile_Detect/Mobile_Detect.php:1) in /home/thatsallnatural/public_html/classes/Tools.php on line 252)

 

Natebc

[natebc]

This is what we found on Tools.php in the classes folder

 

Line 246 *Redirect user to another admin page

Line 247 *

Line 248  * @param string $url Desired URL

Line 249    */

Line 250    public static function redirectAdmin($url)

Line 251    {

Line 252        header('Location: '.$url);

Line 253        exit;

Line 254  }

Line 255 

Line 256     /**

Line 257      * getShopProtocol return the available protocol for the current shop in use

Line 258      * SSL if Configuration is set on and available for the server

Line 259      *

Line 260      * @return String

Line 261      */

 

Natebc

[Rolige]

Maybe one file in the core was modified, the header was called before, or a session stared, etc, etc. If you remember the changes, you can take a look at them, therefore you can upload and replace all the important files/folders in your server with one of the zip file of the prestashop installer, the important folders are...

/admin_folder
/classes
/controllers
/js
/tools

Remember do a backup first.

[natebc]

Maybe one file in the core was modified, the header was called before, or a session stared, etc, etc. If you remember the changes, you can take a look at them, therefore you can upload and replace all the important files/folders in your server with one of the zip file of the prestashop installer, the important folders are...

/admin_folder
/classes
/controllers
/js
/tools

Remember do a backup first.

 

Hi Cotoko,

They only thing is we have not modified any header or file in the last mouth or two. Do you know if there is any way to find out what was changed? we just lost access 1-2 days ago.

 

Natebc

[musicmaster]

If you get "Cannot modify header information" it usually means that Prestashop got some PHP error or warning. So you should look in the source code of that page (rightclick in the browser and select rendering source code). You will see some text before the page starts with "<html ". 

[natebc]

Maybe one file in the core was modified, the header was called before, or a session stared, etc, etc. If you remember the changes, you can take a look at them, therefore you can upload and replace all the important files/folders in your server with one of the zip file of the prestashop installer, the important folders are...

/admin_folder
/classes
/controllers
/js
/tools

Remember do a backup first.

Hi 

 

Just so I know I have it right. We should copy and past  the files from the Prestashop installer zip folder from : /admin_folder /classes /controllers /js /tools?

 

Natebc

[natebc]

If you get "Cannot modify header information" it usually means that Prestashop got some PHP error or warning. So you should look in the source code of that page (rightclick in the browser and select rendering source code). You will see some text before the page starts with "<html ". 

 

 

I have can modify header information but I don't know what I'm supposed to modify it to or what i'm I supposed to write? Dose any one know what I am supposed to place in classes/Tools.php on line 252?

 

Natebc

[Rolige]

Hi 

 

Just so I know I have it right. We should copy and past  the files from the Prestashop installer zip folder from : /admin_folder /classes /controllers /js /tools?

 

Natebc

Come on, this is really easy...

 

(Do a backup first)

 

> Take the zip file of the PrestaShop installer (according to your version as I told you before)

> From the zip file, extract the folder "admin"

> Upload all from this folder (admin) to your server inside your admin folder (I don't know the name because was renamed remember) and overwrite

> Repeat this process for each folder listed in my previous answer

 

Once finished, clear all cache (only precaution)

[natebc]

Come on, this is really easy...

 

(Do a backup first)

 

> Take the zip file of the PrestaShop installer (according to your version as I told you before)

> From the zip file, extract the folder "admin"

> Upload all from this folder (admin) to your server inside your admin folder (I don't know the name because was renamed remember) and overwrite

> Repeat this process for each folder listed in my previous answer

 

Once finished, clear all cache (only precaution)

 

But that is what we did. We backup every thing. We unzip PrestaShop 1.6.1.1 installer extract folders to the server 

/admin

/classes

/controllers

/js

/tools

 

renamed the admin folder

 

cleared all cache

 

and after all that the blank white page is still there.

 

Natebc

[Rolige]

Could be the problem a custom modulo or override file?

 

To discard this you need turn off this options in the back office, but in this case you can't access, so, you could change/create this option directly from your database, just need...

> Access to your phpMyAdmin

> Search for the table "ps_configuration" (if you are using a different prefix, then use your custom prefix instead of "ps_")

> Once in the table, search the record with the name "PS_DISABLE_NON_NATIVE_MODULE" and set it to "1"

> Repeat the proccess with the name "PS_DISABLE_OVERRIDES"

 

If you can't find this options, use this SQL sentence to create it...

-- Just use the line of the configuration missing, otherwise will be duplicated and is not a good idea
INSERT INTO `ps_configuration` SET `name` = 'PS_DISABLE_NON_NATIVE_MODULE', `value` = 1, `date_add` = NOW(), `date_upd` = NOW();
INSERT INTO `ps_configuration` SET `name` = 'PS_DISABLE_OVERRIDES', `value` = 1, `date_add` = NOW(), `date_upd` = NOW();

[natebc]

 

Could be the problem a custom modulo or override file?

 

To discard this you need turn off this options in the back office, but in this case you can't access, so, you could change/create this option directly from your database, just need...

> Access to your phpMyAdmin

> Search for the table "ps_configuration" (if you are using a different prefix, then use your custom prefix instead of "ps_")

> Once in the table, search the record with the name "PS_DISABLE_NON_NATIVE_MODULE" and set it to "1"

> Repeat the proccess with the name "PS_DISABLE_OVERRIDES"

 

If you can't find this options, use this SQL sentence to create it...

-- Just use the line of the configuration missing, otherwise will be duplicated and is not a good idea
INSERT INTO `ps_configuration` SET `name` = 'PS_DISABLE_NON_NATIVE_MODULE', `value` = 1, `date_add` = NOW(), `date_upd` = NOW();
INSERT INTO `ps_configuration` SET `name` = 'PS_DISABLE_OVERRIDES', `value` = 1, `date_add` = NOW(), `date_upd` = NOW();

 

Hi Cotoko,

 

I have set the value 1 for both:

DISABLE_NON_NATIVE_MODULE and 

DISABLE_OVERRIDES.

 

Natebc

[razaro]

Sorry Natebc to join bit late but  

 

 

output started at /home/thatsallnatural/public_html/tools/mobile_Detect/Mobile_Detect.php:1

 

Open that file and check if there is maybe some blank space or any other sign before <?php code. 

It should not have anything before.

[natebc]

Sorry Natebc to join bit late but  

 

Open that file and check if there is maybe some blank space or any other sign before <?php code. 

It should not have anything before.

 

Hi Razaro

 

There is no blank space before <?php on line 1 File (Mobile_Detect.php). But there is  blank space between <?php and $goun67='

 

Natebc

Edited June 28, 2016 by natebc (see edit history)

[razaro]

That code does not seam right.

https://github.com/PrestaShop/PrestaShop/blob/1.6.1.x/tools/mobile_Detect/Mobile_Detect.php

Looks like maybe you have been under recent 

security issue /hack problem. You have warehouse theme so check their security fix with latest vesion.

 

And also this topic (google translate) with some explanation

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.prestashop.com%2Fforums%2Ftopic%2F538912-achtung-sicherheitswarnung-akute-gefahr-durch-shellscript-indoxploit%2F&edit-text=&act=url 

and there you will seewhat new files are added, but also you need to check files/folders that have been changed recently,

because some code like that in mobile detect could be added.

[natebc]

That code does not seam right.

https://github.com/PrestaShop/PrestaShop/blob/1.6.1.x/tools/mobile_Detect/Mobile_Detect.php

Looks like maybe you have been under recent 

security issue /hack problem. You have warehouse theme so check their security fix with latest vesion.

 

And also this topic (google translate) with some explanation

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.prestashop.com%2Fforums%2Ftopic%2F538912-achtung-sicherheitswarnung-akute-gefahr-durch-shellscript-indoxploit%2F&edit-text=&act=url

and there you will seewhat new files are added, but also you need to check files/folders that have been changed recently,

because some code like that in mobile detect could be added.

Hi Razaro

 

Yes they just emailed me "security issue in Warehouse theme" with some fixes (modules). I will upload them and see if that helps. The Mobile_Detect.php dose not look like the one I have. do I copy and past the same code from on link  "https://github.com/PrestaShop/PrestaShop/blob/1.6.1.x/tools/mobile_Detect/Mobile_Detect.php"? I will see if there is any other file that have been changed recently.

 

In the email they have:

 

In case you are already infected i recommand following:

1. You need to restore your backup with state before attack. hosting provder should have a backup, do a clean restore i mean to remove files added by hackers

2. once you restore upload security fix as soon as possible

3. Ask hosting provider to scan for malware

 

But our backups are after the attack.

 

Natebc

Edited June 29, 2016 by natebc (see edit history)

[razaro]

If you do not have backup you can do this. Zip complete site, files and folders and download to 

your computer and scan with your anti-virus and/or anti malware program. Then delete all files

which filenames are strrange like in that topic I linked. Alos check if there is systemcache.php file

in simpleslideshow or any other folder and delete it.

If you get warning on some known files like Mobile_Detect well that could be random file changed so it could happen in few more places. 

First check and download your version of Prestashop https://www.prestashop.com/en/developers-versions#previous-version

and compare code in matching files. Like in Mobile_detect there could be some giberish, coded values so delete those parts.

[natebc]

I like to thank every one that help out. I have had to start over with a new site. All 5 of our sites were infected. Some thing we just need to get past and get the site up and running.

 

Thanks Again.

Natebc